Hi,
I'am using SEC in our infrastructure past 2 years and our customers are
extremely happy with the tool.It was all good so far but yesterday experienced
a peculiar issue.
We have SEC rule setup as below:
## Rule:2
## Last Updated At: 2015-03-19T17:39:21.297Z
## Rule:1 Vendor:Cisco BGP neighbor down alarm, alarm will be suppressed if
neighbor recovers within 60 seconds. In case of 5 such events witin 5 min a
%BGP-5-FLAP: notification will be generated.
type=pairWithWindow
ptype=regexp
continue=dontcont
pattern=Date=.* ,Device=(\S+) ,Msg=.*((%BGP-5-ADJCHANGE:).*
(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) Down.*)
desc=$1 $3 $4
action=shellcmd perl /etc/syslog-config/send2mom/sec_s2m_v2.pl --targetparent
$1 --target $4 --notifying_group NETRS --severity MAJOR --kpi Network --pattern
"$3" --log "$2" --source SEC --sendevent on
ptype2=regexp
pattern2=Date=.* ,Device=($1) ,Msg=.*(($3).* ($4) Up.*)
desc2=$1 BGP Neighbor $4 flap detected
action2=event %s; shellcmd echo `date` "Source=SEC, KpiName=Network,
Severity=-, Action=Suppress, Device=$1, Pattern=$3, Notify Group=-, Log $0" >>
/local/mnt/workspace/logs/sec-logs/sec-messages.log
window=60
I noticed there were 2 events matching the above pattern.Device A and Device B
connected to each other and both the devices BGP nei connecting to each other
was down.
Problem was SEC alerted the above alerts with a delay of 4 hrs,Can you explain
why is this delay and how can i fix the issue.
Thanks,
shashi
------------------------------------------------------------------------------
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
